CVE-2026-43619

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-43619
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43619.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43619
Aliases
  • GHSA-4h9m-w5ff-j735
Downstream
Related
Published
2026-05-20T00:49:14.709Z
Modified
2026-05-28T04:11:59.346375917Z
Severity
  • 7.2 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls
Details

Rsync versionĀ 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43619.json",
    "cwe_ids": [
        "CWE-367",
        "CWE-59"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / git.samba.org/rsync.git/

Affected ranges

Type
GIT
Repo
https://git.samba.org/rsync.git/
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
de3cc03b03be153092f266aa1117b4706947ed07
Database specific 
{
    "cpe": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.4.2"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

Other
mbp_bk_export0
v1.*
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7pre2
v2.4.7pre4
v2.5.0
v2.5.1
v2.5.1pre1
v2.5.1pre2
v2.5.1pre3
v2.5.2
v2.5.2pre1
v2.5.2pre2
v2.5.2pre3
v2.5.3
v2.5.3pre1
v2.5.4
v2.5.4pre1
v2.5.5
v2.5.5.rc1
v2.5.6
v2.6.0
v2.6.0pre1
v2.6.0pre2
v2.6.1
v2.6.1pre1
v2.6.1pre2
v2.6.2
v2.6.2pre1
v2.6.3
v2.6.3pre1
v2.6.3pre2
v2.6.4
v2.6.4pre1
v2.6.4pre2
v2.6.4pre3
v2.6.4pre4
v2.6.5
v2.6.5pre1
v2.6.5pre2
v2.6.6pre1
v2.6.7
v2.6.7pre1
v2.6.7pre2
v2.6.7pre3
v2.6.8
v2.6.8pre1
v2.6.9
v2.6.9pre1
v2.6.9pre2
v2.6.9pre3
v3.*
v3.0.0
v3.0.0pre1
v3.0.0pre10
v3.0.0pre2
v3.0.0pre3
v3.0.0pre4
v3.0.0pre5
v3.0.0pre6
v3.0.0pre7
v3.0.0pre8
v3.0.0pre9
v3.0.1
v3.0.1pre1
v3.0.1pre2
v3.0.1pre3
v3.0.2
v3.0.3
v3.0.3pre1
v3.0.3pre2
v3.0.3pre3
v3.1.0
v3.1.0pre1
v3.1.1
v3.1.1pre1
v3.1.1pre2
v3.1.2
v3.1.2pre1
v3.1.3
v3.1.3pre1
v3.2.0
v3.2.0pre1
v3.2.0pre2
v3.2.0pre3
v3.2.1
v3.2.1pre1
v3.2.2
v3.2.2pre1
v3.2.2pre2
v3.2.2pre3
v3.2.3
v3.2.3pre1
v3.2.4
v3.2.4pre1
v3.2.4pre2
v3.2.4pre3
v3.2.4pre4
v3.2.5
v3.2.5pre1
v3.2.5pre2
v3.2.6
v3.2.7
v3.2.7pre1
v3.3.0
v3.3.0pre1
v3.4.0
v3.4.1
v3.4.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43619.json"

Git / github.com/rsyncproject/rsync

Affected ranges

Type
GIT
Repo
https://github.com/rsyncproject/rsync
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2c7777aaa62abeb1bca192da345e6e8c685e872a
Database specific 
{
    "source": "REFERENCES"
}

Affected versions

Other
mbp_bk_export0
v1.*
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7pre2
v2.4.7pre4
v2.5.0
v2.5.1
v2.5.1pre1
v2.5.1pre2
v2.5.1pre3
v2.5.2
v2.5.2pre1
v2.5.2pre2
v2.5.2pre3
v2.5.3
v2.5.3pre1
v2.5.4
v2.5.4pre1
v2.5.5
v2.5.5.rc1
v2.5.6
v2.6.0
v2.6.0pre1
v2.6.0pre2
v2.6.1
v2.6.1pre1
v2.6.1pre2
v2.6.2
v2.6.2pre1
v2.6.3
v2.6.3pre1
v2.6.3pre2
v2.6.4
v2.6.4pre1
v2.6.4pre2
v2.6.4pre3
v2.6.4pre4
v2.6.5
v2.6.5pre1
v2.6.5pre2
v2.6.6pre1
v2.6.7
v2.6.7pre1
v2.6.7pre2
v2.6.7pre3
v2.6.8
v2.6.8pre1
v2.6.9
v2.6.9pre1
v2.6.9pre2
v2.6.9pre3
v3.*
v3.0.0
v3.0.0pre1
v3.0.0pre10
v3.0.0pre2
v3.0.0pre3
v3.0.0pre4
v3.0.0pre5
v3.0.0pre6
v3.0.0pre7
v3.0.0pre8
v3.0.0pre9
v3.0.1
v3.0.1pre1
v3.0.1pre2
v3.0.1pre3
v3.0.2
v3.0.3
v3.0.3pre1
v3.0.3pre2
v3.0.3pre3
v3.1.0
v3.1.0pre1
v3.1.1
v3.1.1pre1
v3.1.1pre2
v3.1.2
v3.1.2pre1
v3.1.3
v3.1.3pre1
v3.2.0
v3.2.0pre1
v3.2.0pre2
v3.2.0pre3
v3.2.1
v3.2.1pre1
v3.2.2
v3.2.2pre1
v3.2.2pre2
v3.2.2pre3
v3.2.3
v3.2.3pre1
v3.2.4
v3.2.4pre1
v3.2.4pre2
v3.2.4pre3
v3.2.4pre4
v3.2.5
v3.2.5pre1
v3.2.5pre2
v3.2.6
v3.2.7
v3.2.7pre1
v3.3.0
v3.3.0pre1
v3.4.0
v3.4.1
v3.4.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43619.json"